Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /var/tmp/maven-repo/antlr/antlr/2.7.2/antlr-2.7.2.jar
MD5: a73459120df5cadf75eaa98453433a01
SHA1: 546b5220622c4d9b2da45ad1899224b6ce1c8830
Referenced In Project:
Sass Compiler Plugin
Description: AOP Alliance
License:
Public DomainFile Path: /var/tmp/maven-repo/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
Description: Dawid Kurzyniec's backport of JSR 166
License:
Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: /var/tmp/maven-repo/backport-util-concurrent/backport-util-concurrent/3.1/backport-util-concurrent-3.1.jar
File Path: /var/tmp/maven-repo/classworlds/classworlds/1.1-alpha-2/classworlds-1.1-alpha-2.jar
MD5: 82cacb7d9724c4a4e4d20f004884d4da
SHA1: 05adf2e681c57d7f48038b602f3ca2254ee82d47
Referenced In Project:
Sass Compiler Plugin
Description: JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/com/google/code/findbugs/jsr305/2.0.1/jsr305-2.0.1.jar
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/com/google/guava/guava/18.0/guava-18.0.jar
Description: Guice is a lightweight dependency injection framework for Java 6 and above
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/com/google/inject/guice/4.0/guice-4.0-no_aop.jar
Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Description: An implmentation of the GoF Chain of Responsibility pattern
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: /var/tmp/maven-repo/commons-chain/commons-chain/1.1/commons-chain-1.1.jar
Description: The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: /var/tmp/maven-repo/commons-codec/commons-codec/1.3/commons-codec-1.3.jar
Description: Types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Vulnerable Software & Versions: (show all)
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-digester/commons-digester/1.8.1/commons-digester-1.8.1.jar
Description:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-io/commons-io/2.5/commons-io-2.5.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-lang/commons-lang/2.4/commons-lang-2.4.jar
Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
Description:
Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/commons-validator/commons-validator/1.4.1/commons-validator-1.4.1.jar
File Path: /var/tmp/maven-repo/dom4j/dom4j/1.1/dom4j-1.1.jar
MD5: f1c39d0d2b2c6f5ffb0046841a34b5c9
SHA1: 0690b3108a502c8f033ea87e7278aec309ffa668
Referenced In Project:
Sass Compiler Plugin
Description: JSR-250 Reference Implementation by Glassfish
License:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: /var/tmp/maven-repo/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
Description: APIs for JSR-299: Contexts and Dependency Injection for Java EE
File Path: /var/tmp/maven-repo/javax/enterprise/cdi-api/1.0/cdi-api-1.0.jar
MD5: 462c0959f0322016495f4598243bc0f2
SHA1: 44c453f60909dfc223552ace63e05c694215156b
Referenced In Project:
Sass Compiler Plugin
Description: The javax.inject API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/javax/inject/javax.inject/1/javax.inject-1.jar
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/apache/commons/commons-lang3/3.4/commons-lang3-3.4.jar
Description:
HttpComponents Client (base module)
License:
Apache License: ../LICENSE.txtFile Path: /var/tmp/maven-repo/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Vulnerable Software & Versions: (show all)
Description:
HttpComponents Core (Java 1.3 compatible)
License:
Apache License: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /var/tmp/maven-repo/org/apache/httpcomponents/httpcore/4.0.1/httpcore-4.0.1.jar
Description: Doxia core classes and interfaces.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-core/1.6/doxia-core-1.6.jar
MD5: b6de6f089320d64d2520e61ebdb0202b
SHA1: 61dd1084ec7d093086db714537439b02c76f0deb
Referenced In Project:
Sass Compiler Plugin
Description: The Decoration Model handles the decoration descriptor for sites, also known as site.xml.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-decoration-model/1.6/doxia-decoration-model-1.6.jar
MD5: ee947d775ed462ae4405e1b091b75c97
SHA1: 5143fc30d9b6e6b8636212b5caf4139f1b68ad2f
Referenced In Project:
Sass Compiler Plugin
Description: Doxia Logging API.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-logging-api/1.7/doxia-logging-api-1.7.jar
MD5: 685d0eddaa6c6e6828863b985f25d7cf
SHA1: 026b1ace473b018f4b0053f7d525ddd1cfb777df
Referenced In Project:
Sass Compiler Plugin
Description:
A Doxia module for FML source documents.
FML format is only supported as source format.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-module-fml/1.6/doxia-module-fml-1.6.jar
MD5: 8ee4f701bebf5ae903258753daf007e1
SHA1: 67e3faa49307e003ba717eb53330aeb02861de19
Referenced In Project:
Sass Compiler Plugin
Description:
A Doxia module for Xhtml source documents.
Xhtml format is supported both as source and target formats.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-module-xhtml/1.6/doxia-module-xhtml-1.6.jar
MD5: 7a6ac991e2fa35a6d9af5f75f975fe55
SHA1: 71dc8d1ce4c5fcd976aecb8339e331ba9f46f7e3
Referenced In Project:
Sass Compiler Plugin
Description: Doxia Sink API.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-sink-api/1.7/doxia-sink-api-1.7.jar
MD5: 77ed4a3d25c0e5c8c8908880868b2fc4
SHA1: 64482f540f8f45c0749b2febdb78ee3148a52b58
Referenced In Project:
Sass Compiler Plugin
Description: The Site Renderer handles the rendering of sites, merging site decoration with document content.
File Path: /var/tmp/maven-repo/org/apache/maven/doxia/doxia-site-renderer/1.6/doxia-site-renderer-1.6.jar
MD5: 3e973ac502710a58a7f05db3676854e6
SHA1: 99ca276310172f91700577383730090c285c5126
Referenced In Project:
Sass Compiler Plugin
Description: Extensions to Aether for utilizing Maven POM and repository metadata.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-aether-provider/3.3.9/maven-aether-provider-3.3.9.jar
MD5: a59398f1c07cdb0acb7241c912277727
SHA1: 29e8e7122f7a166ea53785cd75af0ef9d4d848d4
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/maven/maven-artifact-manager/2.2.1/maven-artifact-manager-2.2.1.jar
MD5: f3e76a8a83f422a900886543c48914f7
SHA1: ec355b913c34d37080810f98e3f51abecbe1572b
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/maven/maven-artifact/3.3.9/maven-artifact-3.3.9.jar
MD5: eabb57cd2980b2776fa4c441307ea60c
SHA1: 0f43afa184555fbc6e36b3334b17246c39b30f6e
Referenced In Project:
Sass Compiler Plugin
Description: Support for descriptor builders (model, setting, toolchains)
File Path: /var/tmp/maven-repo/org/apache/maven/maven-builder-support/3.3.9/maven-builder-support-3.3.9.jar
MD5: 2e6239035784eaa473c2254906499b73
SHA1: a96f29da7623c0e1db9824f628548fe8181f6dd0
Referenced In Project:
Sass Compiler Plugin
Description: Maven Core classes.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-core/3.3.9/maven-core-3.3.9.jar
MD5: 26ca8120bcd92b50cd3eeaf72857f10b
SHA1: 47154012330ea639849c618ebc11cff6870e570a
Referenced In Project:
Sass Compiler Plugin
Description: The effective model builder, with inheritance, profile activation, interpolation, ...
File Path: /var/tmp/maven-repo/org/apache/maven/maven-model-builder/3.3.9/maven-model-builder-3.3.9.jar
MD5: 1f2574146387b9bf42d8c6f474c31dc0
SHA1: e2055f9adb9f3c9a93e6b36fffe79781a785de2d
Referenced In Project:
Sass Compiler Plugin
Description: Model for Maven POM (Project Object Model)
File Path: /var/tmp/maven-repo/org/apache/maven/maven-model/3.3.9/maven-model-3.3.9.jar
MD5: 7cad05127acd17c06329852e268f92e7
SHA1: 6efde8cbcb4de4c47f7e9c2a3ab2806022b5c70f
Referenced In Project:
Sass Compiler Plugin
Description: The API for plugins - Mojos - development.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-plugin-api/3.3.9/maven-plugin-api-3.3.9.jar
MD5: 2de70681e18aae4f174b0760e4e69281
SHA1: aa706ea7ca23776861b4eb2cea97cf345e791496
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/maven/maven-plugin-registry/2.2.1/maven-plugin-registry-2.2.1.jar
MD5: 46a27ab81d327e3f5fd1d3e435fe2aad
SHA1: 72a24b7775649af78f3986b5aa7eb354b9674cfd
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/maven/maven-profile/2.2.1/maven-profile-2.2.1.jar
MD5: 53dd14e28aaad4bd5dd379dfdbf46a4c
SHA1: 3950071587027e5086e9c395574a60650c432738
Referenced In Project:
Sass Compiler Plugin
Description: This library is used to not only read Maven project object model files, but to assemble inheritence
and to retrieve remote models as required.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-project/2.2.1/maven-project-2.2.1.jar
MD5: 8f9382d7c0c120e94c2aaf8bbe817b6f
SHA1: 8239e98c16f641d55a4ad0e0bab0aee3aff8933f
Referenced In Project:
Sass Compiler Plugin
Description: Per-directory local and remote repository metadata.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-repository-metadata/3.3.9/maven-repository-metadata-3.3.9.jar
MD5: a518f665a8e0c80cd7b37d7e19e90095
SHA1: 6850232b35e504057d67bde11efddebf6271e1ce
Referenced In Project:
Sass Compiler Plugin
Description: The effective settings builder, with inheritance and password decryption.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-settings-builder/3.3.9/maven-settings-builder-3.3.9.jar
MD5: 20834b05fa4db46b67c963f3e1b91ed5
SHA1: fe5ad82564dc07a31855da543db8d5376def3c26
Referenced In Project:
Sass Compiler Plugin
Description: Maven Settings model.
File Path: /var/tmp/maven-repo/org/apache/maven/maven-settings/3.3.9/maven-settings-3.3.9.jar
MD5: 9d67ab18c16b98763ee9142e87b62d22
SHA1: 68d4180c51468ae8f45869f8f9c569092262fcca
Referenced In Project:
Sass Compiler Plugin
Description: Java 5 annotations to use in Mojos
File Path: /var/tmp/maven-repo/org/apache/maven/plugin-tools/maven-plugin-annotations/3.4/maven-plugin-annotations-3.4.jar
MD5: c35fde211323d4bb06d5b1a41ef23807
SHA1: 18624421fb35f5ade7397c18b40878396f672bc5
Referenced In Project:
Sass Compiler Plugin
Description: API to manage report generation.
File Path: /var/tmp/maven-repo/org/apache/maven/reporting/maven-reporting-api/3.0/maven-reporting-api-3.0.jar
MD5: 48cd00abc388c5156879b335e869adab
SHA1: b2541dd07d08cd5eff9bd4554a2ad6a4198e2dfe
Referenced In Project:
Sass Compiler Plugin
Description: Abstract classes to manage report generation.
File Path: /var/tmp/maven-repo/org/apache/maven/reporting/maven-reporting-impl/2.4/maven-reporting-impl-2.4.jar
MD5: dcee359d96eb75ba8665dded8f117d23
SHA1: 90004c570cfad44712cc42a4ee8167e13f227420
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/maven/shared/maven-shared-utils/0.8/maven-shared-utils-0.8.jar
MD5: b94a3d2b3e177dfcac19d8980d03099b
SHA1: bb2d10333e4c7c4cdc25f3c1acb34a74c098568c
Referenced In Project:
Sass Compiler Plugin
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /var/tmp/maven-repo/org/apache/maven/shared/maven-shared-utils/0.8/maven-shared-utils-0.8.jar/META-INF/maven/commons-io/commons-io/pom.xml
MD5: 8dcc8cd4255c1f23e7f58780a943cefb
SHA1: 1ef24807b2eaf9d51b5587710878146d630cc855
Description: Maven Wagon API that defines the contract between different Wagon implementations
File Path: /var/tmp/maven-repo/org/apache/maven/wagon/wagon-provider-api/2.10/wagon-provider-api-2.10.jar
MD5: d03edb1bcae2b9c32a6b68c8333b4b6d
SHA1: 0cd9cdde3f56bb5250d87c54592f04cbc24f03bf
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
MD5: 868de456b4d4331d6dcc4e8d3bee884e
SHA1: 66178d4a9279ebb1cd1eb79c10dc204b4199f061
Referenced In Project:
Sass Compiler Plugin
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
File Path: /var/tmp/maven-repo/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.jar
MD5: 0effb2e71f676c25d76c3ae5dd6674f9
SHA1: e87e9817bdf03c2367fb5f6d5ead953db2df4c21
Referenced In Project:
Sass Compiler Plugin
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
File Path: /var/tmp/maven-repo/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.jar
MD5: f41992ab2729b1cb9c6b4721465aa4e4
SHA1: 6d212f8ea5d908bc9906e669428b7694dff60785
Referenced In Project:
Sass Compiler Plugin
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Description:
VelocityTools is an integrated collection of Velocity subprojects
with the common goal of creating tools and infrastructure to speed and ease
development of both web and non-web applications using the Velocity template
engine.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/apache/velocity/velocity-tools/2.0/velocity-tools-2.0.jar
Description: Apache Velocity is a general purpose template engine.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/apache/velocity/velocity/1.5/velocity-1.5.jar
Description: A class loader framework
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.jar
Description:
Plexus Component "Java 5" Annotations, to describe plexus components properties in java sources with
standard annotations instead of javadoc annotations.
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-component-annotations/1.6/plexus-component-annotations-1.6.jar
MD5: 5ad66cc6f2b6813485d624ed581d61be
SHA1: 1a34a4e12b5fded8c548a568f463dfee21500927
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-container-default/1.0-alpha-9-stable-1/plexus-container-default-1.0-alpha-9-stable-1.jar
MD5: 99533a9d3e0fa3280cd0bd3426c5f99b
SHA1: 94aea3010e250a334d9dab7f591114cd6c767458
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-i18n/1.0-beta-7/plexus-i18n-1.0-beta-7.jar
MD5: 65d4f673bd0c49dbc67e020e96b00753
SHA1: 3690f10a668b3c7ac2ef563f14cfb6b2ba30ee57
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-interpolation/1.21/plexus-interpolation-1.21.jar
MD5: 6629656495f4e5eac4f244fe3b252ea1
SHA1: f92de59d295f16868001644acc21720f3ec9eb15
Referenced In Project:
Sass Compiler Plugin
Description: A collection of various utility classes to ease working with strings, files, command lines, XML and
more.
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
MD5: 2a32677a099da7c5b9b2b39c066f2cc6
SHA1: 764f26e0ab13a87c48fe55f525dfb6a133b7a92f
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/codehaus/plexus/plexus-velocity/1.1.7/plexus-velocity-1.1.7.jar
MD5: d460d060e07b3bccaf6593440ce7be1e
SHA1: 1440fc2552d1405b1c2d380ef3b96c4d9c6dbd0b
Referenced In Project:
Sass Compiler Plugin
Description:
The application programming interface for the repository system.
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/aether/aether-api/1.0.2.v20150114/aether-api-1.0.2.v20150114.jar
Description:
An implementation of the repository system.
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/aether/aether-impl/1.0.2.v20150114/aether-impl-1.0.2.v20150114.jar
Description:
The service provider interface for repository system implementations and repository connectors.
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/aether/aether-spi/1.0.2.v20150114/aether-spi-1.0.2.v20150114.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
Vulnerable Software & Versions: (show all)
Description:
A collection of utility classes to ease usage of the repository system.
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/aether/aether-util/1.0.2.v20150114/aether-util-1.0.2.v20150114.jar
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.2/org.eclipse.sisu.inject-0.3.2.jar
License:
http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.2/org.eclipse.sisu.plexus-0.3.2.jar
Description: JRuby 9.1.2.0 OSGi bundle
License:
http://www.gnu.org/licenses/gpl-3.0-standalone.html, http://www.gnu.org/licenses/lgpl-3.0-standalone.html, http://www.eclipse.org/legal/epl-v10.htmlFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/jni/i386-Windows/jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/jni/x86_64-Windows/jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/bin/jrubyw.exe
MD5: 62b31f26af4b2c0ffe078d17a10c1a7b
SHA1: b9ea7099f43ec31ee907326d4261d778aef9059a
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/jar-dependencies-0.3.2.gemspec
MD5: 9aa4c85e42af99eee1c7436f8d9feea3
SHA1: c2802265d538f551f3c692eb6d65a81e37898819
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/jruby-openssl-0.9.15-java.gemspec
MD5: a476df5aec0907a89cd9eb90af6992a0
SHA1: 07af4c1736cdeded00cb54aa5f230ee9630969ee
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Vulnerable Software & Versions: (show all)
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/json-1.8.3-java.gemspec
MD5: 5eaf31c5d0da0413ad7f4005be3b4a18
SHA1: 24c9ba6aa50489aeb4ff2b16dc4b6920f0f84aeb
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/minitest-5.4.1.gemspec
MD5: cad713d13ea10dca1d3d301ae89095b6
SHA1: 77e07c04707da19fea9367e20c98ad4b0213940b
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/net-telnet-0.1.1.gemspec
MD5: 2dbf210f06ee958d06e7ad1c7dab6874
SHA1: 94fc59346cc5b058176b94037b877ad3b5d254b4
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/power_assert-0.2.3.gemspec
MD5: b9c7fd8616868906ed899dfc029bde5f
SHA1: 739561c3ce5a183b8bca344cbb07b5e2280db198
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/psych-2.0.17-java.gemspec
MD5: f9d0bafe90a629f61c13b896b83d4b89
SHA1: 9015c344519591012da277050d208cdbacf7f210
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/racc-1.4.13-java.gemspec
MD5: 73a6e8098118cdbcf985bfe577a793cc
SHA1: 3686e655c90c083a9c8c8a40bfa66d346048afbb
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/rake-10.4.2.gemspec
MD5: b65000317e704ddebc33513f09d00c7b
SHA1: 0adcc512220c493a50fdd13e48b49d09f6331f16
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/rdoc-4.2.0.gemspec
MD5: e7cfbce03b095e6c28d50fe5400b3ed6
SHA1: 8070e3c86e978a6ad7383b9ac6f1c534662d9160
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/gems/shared/specifications/default/test-unit-3.1.1.gemspec
MD5: af9719b6b8922c3dbdd115b3bdf133ff
SHA1: 2e060d376279be4bca0616b85a37e5ede51585b1
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/ffi/tools/Rakefile
MD5: 0f5f4d1794d04c02252221ba8a1465a5
SHA1: c37abced3b762a0d4c39043b897ca4043bd227ad
Description: Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar/META-INF/native/windows32/jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jline/jline/2.11/jline-2.11.jar/META-INF/native/windows64/jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/joda-time/joda-time/2.3/joda-time-2.3.jar
Description: JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library.
License:
EPL-1.0: http://opensource.org/licenses/EPL-1.0 GPL-2.0: http://opensource.org/licenses/GPL-2.0 LGPL-2.1: http://opensource.org/licenses/LGPL-2.1File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/jopenssl.jar
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-17 Code
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Vulnerable Software & Versions: (show all)
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/json/ext/generator.jar
MD5: 9a3d59c751290cace181e8de11a41755
SHA1: b5129f6559d9a45e91c39f2b9adcba8b2a823200
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/json/ext/parser.jar
MD5: 5d68c415bab614f7022b579f31fb850c
SHA1: ec58e349d82741d32b381f86b3a2e18892160aff
Description: The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/bouncycastle/bcpkix-jdk15on/1.54/bcpkix-jdk15on-1.54.jar
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar
Description: YAML 1.1 parser and emitter for Java
License:
Apache License Version 2.0: LICENSE.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/org/yaml/snakeyaml/1.14/snakeyaml-1.14.jar
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/psych.jar
MD5: 819c4b99eefabe587bbdfe8d2b2ee30d
SHA1: 7576dce2febe3a3dfde6d7d27a933da4d3ee7d4e
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/racc/cparse-jruby.jar
MD5: 1d12831e62f838a59abb7b44a20c8686
SHA1: c5b876825b6cbe622111b07fc205515a2f782615
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Vulnerable Software & Versions: (show all)
Description: readline extension for JRuby
License:
EPL-1.0 GPL-2.0 LGPL-2.1File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/stdlib/readline.jar
Severity:
Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Vulnerable Software & Versions: (show all)
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/truffle/pr-zlib/pr-zlib.gemspec
MD5: b4e286bddea3a9392a84741e887e8502
SHA1: e3998ae59fc214d52e03f21f7f72e6e93efb64bb
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/jruby.home/lib/ruby/truffle/pr-zlib/Rakefile
MD5: 923ba4c739f59fa2b6868c442a4da16c
SHA1: 5c2705b05dd5c7f5d4927a864d3a36f4aef93017
Description: Java Foreign Function Interface
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jffi/pom.xml
Description: A set of platform constants (e.g. errno values)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-constants/pom.xml
Description: Native I/O access for java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-enxio/pom.xml
Description: A library for invoking native functions from java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-ffi/pom.xml
Description: Lookup TCP and UDP services from java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-netdb/pom.xml
Description:
Common cross-project/cross-platform POSIX APIs
License:
Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.htmlFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-posix/pom.xml
Description: Native I/O access for java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-unixsocket/pom.xml
Description: A pure-java X86 and X86_64 assembler
License:
MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.github.jnr/jnr-x86asm/pom.xml
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/invokebinder/pom.xml
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.headius/options/pom.xml
Description: JZlib is a re-implementation of zlib in pure Java
License:
BSD: http://www.jcraft.com/jzlib/LICENSE.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.jcraft/jzlib/pom.xml
Description:
Nailgun is a client, protocol, and server for running Java programs from
the command line without incurring the JVM startup overhead. Programs run
in the server (which is implemented in Java), and are triggered by the
client (written in C), which handles all I/O.
This project contains the SERVER ONLY.
File Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/com.martiansoftware/nailgun-server/pom.xml
MD5: 365276754761735cc069e439a401fa8d
SHA1: 55ac54d56cbaa9468e964f4dc20b201cde1c611f
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/joda-time/joda-time/pom.xml
Description:
Java port of Oniguruma: http://www.geocities.jp/kosako3/oniguruma
that uses byte arrays directly instead of java Strings and chars
License:
MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: /var/tmp/maven-repo/org/jruby/jruby-complete/9.1.2.0/jruby-complete-9.1.2.0.jar/META-INF/maven/org.jruby.joni/joni/pom.xml
File Path: /var/tmp/maven-repo/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar
MD5: 7b2d6fcf0d5800d5b1ce09d98d98dcaf
SHA1: 50ade46f23bb38cd984b4ec560c46223432aac38
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar
MD5: 53160199f5667de3fca69b723173639b
SHA1: dedc02034fb8fcd7615d66593228cb71709134b4
Referenced In Project:
Sass Compiler Plugin
File Path: /var/tmp/maven-repo/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Referenced In Project:
Sass Compiler Plugin
License:
Apache Software License, Version 1.1: http://www.apache.org/licenses/LICENSE-1.1File Path: /var/tmp/maven-repo/sslext/sslext/1.2-0/sslext-1.2-0.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check.
Vulnerable Software & Versions:
Description: XMLUnit compares a control XML document to a test document or the result of a transformation, validates documents, and compares the results of XPath expressions.
License:
BSD License: http://xmlunit.svn.sourceforge.net/viewvc/*checkout*/xmlunit/trunk/xmlunit/LICENSE.txtFile Path: /var/tmp/maven-repo/xmlunit/xmlunit/1.5/xmlunit-1.5.jar